Good questions to ask about risk separate strong governance from weak governance. The right questions surface assumptions, expose blind spots, and turn risk reviews into decisions that change behavior.
A regional hospital network in Ohio held its quarterly risk committee meeting in early 2024.
The committee reviewed a 40-page risk report, approved the risk register without discussion, and adjourned in 22 minutes.
Three months later, a ransomware attack shut down the network’s electronic health records for 11 days.
The post-incident review uncovered that the risk register had listed “cyber threat” as a medium-rated risk for six consecutive quarters — no one on the committee had ever asked a follow-up question.
No one asked: What would happen to patient care if our EHR went offline for more than 48 hours? No one asked: When was the last time we tested our incident response plan?
No one asked: Are our backup systems recoverable within our stated RTO? The risk was identified.
The score was assigned. But the questions that would have turned that score into action were never posed. The organization paid $4.7 million in incident response costs, regulatory fines, and patient diversion expenses.
That story is not unusual. According to NC State’s 2024 ERM Initiative survey, only 28% of US organizations report that their board risk oversight processes are “mature or robust.”
The global risk management market is projected to reach $52 billion by 2032, growing at 15.4% CAGR — proof that organizations are investing in risk infrastructure. But infrastructure without inquiry is a dashboard no one reads.
The differentiator between organizations that manage risk effectively and those that merely report on it is the quality of the questions they ask, who asks them, and what happens with the answers.
| Key Takeaways |
| The quality of an organization’s risk management is determined not by the sophistication of its models but by the quality of the questions it asks. Structured risk questions, organized by ISO 31000 lifecycle phase, expose blind spots that generic checklists miss. |
| Seven question categories cover the full risk lifecycle: context and scope, risk identification, risk analysis, risk evaluation, risk treatment, monitoring and review, and communication and reporting. Each phase requires different questions for different audiences. |
| Board-level risk questions differ fundamentally from operational questions. Directors should ask about risk appetite alignment, emerging threats, control effectiveness, and residual risk trends — not individual risk details. |
| Organizations that implement structured risk questioning frameworks detect 78% of risk events early (vs. 25% without), reduce regulatory findings by 75%, and cut average incident response time from 72 hours to 24 hours. |
| The global risk management market was valued at $12.6 billion in 2022 and is projected to reach $52 billion by 2032 — evidence that asking the right risk questions has become a core business competency, not an audit exercise. |
| Every risk question should drive action: identify who owns the answer, set a deadline for response, and track whether the answer changes the risk register, treatment plan, or escalation status. |
This guide provides 57 essential risk questions organized by ISO 31000 lifecycle phase. Each section includes a table of questions with the intended audience, the action the answer should trigger, and alignment to COSO ERM principles. By the end, you will have a reusable question bank that transforms risk meetings from passive reporting to active decision-making.
Why Risk Questions Matter More Than Risk Scores
A risk score of 16 on a 5×5 matrix tells you the risk is in the red zone.
But a score alone does not tell you whether the control environment is functioning, whether the risk is accelerating or decelerating, whether the organization’s risk appetite has changed, or whether the risk owner has the authority and resources to act.
Questions unlock the context behind the number.
The ISO 31000:2018 standard explicitly states that risk management should be “structured and comprehensive” (Principle b) and “customized” (Principle c) — objectives achievable only through disciplined questioning at every phase of the lifecycle.
| Metric | Without Structured Risk Questions | With Structured Risk Questions |
| Risk events detected early | 25% of risks flagged before materialization | 78% of risks flagged before materialization |
| Board confidence in risk oversight | 40% of directors rate oversight as adequate | 82% of directors rate oversight as adequate |
| Average regulatory findings per audit | 8.5 findings per examination | 2.1 findings per examination |
| Percentage of losses prevented | 15% of potential losses mitigated through early action | 47% of potential losses mitigated through early action |
| Average incident response time | 72 hours from detection to containment | 24 hours from detection to containment |
Phase 1: Context and Scope — Setting the Foundation
Before identifying a single risk, the risk management process requires clarity on context: What are we protecting? What are our objectives?
What is our tolerance for loss? Skipping this phase is the most common root cause of risk programs that generate reports but fail to influence decisions.
These questions align with ISO 31000 Clause 5.4.1 (Establishing the Context) and COSO ERM Component 1 (Governance and Culture).
| # | Question | Intended Audience | Action if Answer Is Unclear | Framework Ref |
| 1 | What are the organization’s strategic objectives for the next 12–36 months, and which objectives carry the highest risk of non-achievement? | Board / C-Suite | Convene strategy-risk alignment workshop before proceeding with risk identification | COSO Principle 6 |
| 2 | Has the risk appetite statement been reviewed and approved within the last 12 months? | CRO / Risk Committee | Draft or refresh the risk appetite statement with quantified thresholds | ISO 31000 5.4.1 |
| 3 | Do we treat risk reactively — only after incidents — or do we have a proactive identification process? | Risk Manager / Internal Audit | Design a forward-looking risk identification cadence with leading indicators | COSO Principle 10 |
| 4 | What is the tone at the top regarding risk-taking? Does leadership model the behavior it expects? | Board / Risk Committee | Conduct a risk culture survey and benchmark against COSO Governance and Culture component | COSO Principle 3 |
| 5 | Are our most critical assets identified, valued, and mapped to specific risk owners? | COO / Asset Owners | Complete a critical asset inventory with assigned owners and dependency maps | ISO 31000 5.4.1 |
| 6 | Are external context factors (regulatory, economic, geopolitical, technological) formally scanned at least quarterly? | CRO / Strategy Team | Implement a quarterly external environment scan with documented emerging risk inputs | ISO 31000 5.4.1 |
| 7 | Does our risk framework cover all risk categories: strategic, operational, financial, compliance, and reputational? | CRO / ERM Team | Map existing risk register against a five-category taxonomy and close gaps | COSO Principle 9 |
| 8 | Who is accountable for risk management outcomes, and does that accountability have consequences? | CEO / Board | Define risk management RACI with clear escalation triggers and performance metrics | COSO Principle 5 |
Phase 2: Risk Identification — Finding What Could Go Wrong
Risk identification is where most organizations start — and where most stop too early. A healthy risk identification process goes beyond brainstorming to include scenario analysis, historical loss data review, and structured stakeholder interviews.
The questions below challenge teams to look beyond obvious risks and into emerging, interconnected, and second-order threats.
| # | Question | Intended Audience | Action if Answer Is Unclear | Framework Ref |
| 9 | What risks could prevent us from achieving our top three strategic objectives this year? | C-Suite / Business Unit Heads | Run a facilitated risk identification workshop linked to strategic plan | COSO Principle 10 |
| 10 | What has changed in our operating environment since the last risk assessment that could create new risks? | Risk Manager / Operations | Conduct a change-triggered risk review (new regulation, market shift, technology adoption) | ISO 31000 6.4.2 |
| 11 | Are we capturing emerging risks — threats that have not yet materialized but show early signals? | CRO / Strategy | Establish an emerging risk register with signal-based triggers and quarterly horizon scanning | COSO Principle 11 |
| 12 | What are the interdependencies between our top risks? Could one risk trigger a cascade? | Risk Manager / BCP Lead | Map risk interconnections using a bow-tie analysis or dependency matrix | ISO 31000 6.4.2 |
| 13 | Have we asked frontline employees what worries them? Do they have a safe channel to report risk concerns? | Risk Manager / HR | Deploy an anonymous risk survey and integrate findings into the risk register | COSO Principle 4 |
| 14 | What risks are our competitors facing that we might also be exposed to? | Strategy / Risk Manager | Conduct a competitor risk benchmarking exercise using public filings and industry reports | ISO 31000 5.4.1 |
| 15 | Are there risks we have consciously accepted that should be re-evaluated given current conditions? | Risk Committee | Review all accepted risks against current risk appetite; escalate any that now exceed thresholds | COSO Principle 13 |
Phase 3: Risk Analysis and Evaluation — Sizing and Prioritizing
Once risks are identified, the next step is to analyze their likelihood and impact and evaluate them against the organization’s risk appetite and tolerance.
This is where risk scoring methodologies come into play, but the questions must go deeper than “What’s the score?” to challenge assumptions, test data quality, and validate assessment consistency.
| # | Question | Intended Audience | Action if Answer Is Unclear | Framework Ref |
| 16 | What data sources are we using to estimate likelihood and impact? Are they current, credible, and sufficient? | Risk Analyst / CRO | Audit data inputs for each top-10 risk; replace anecdotal estimates with loss data or scenario models | ISO 31000 6.4.3 |
| 17 | How confident are we in our risk scores? What is the margin of error or range of uncertainty? | Risk Committee | Apply sensitivity analysis or Monte Carlo simulation to test score robustness | ISO 31000 6.4.4 |
| 18 | Are we using the same rating scales consistently across business units and risk categories? | CRO / Risk Manager | Calibrate risk scales through cross-functional workshops with facilitated scoring exercises | COSO Principle 12 |
| 19 | Which risks exceed our stated risk appetite or tolerance? What is our escalation protocol? | Board / CRO | Produce a risk appetite breach report and trigger the defined escalation response | COSO Principle 8 |
| 20 | Have we assessed the velocity of each risk — how quickly it could move from early signal to full impact? | Risk Analyst | Add a velocity dimension to the risk register for all high-rated risks | ISO 31000 6.4.3 |
| 21 | Are we distinguishing between inherent risk (before controls) and residual risk (after controls)? | Risk Manager / Internal Audit | Score each risk on both inherent and residual basis; document control effectiveness separately | COSO Principle 15 |
| 22 | What is the aggregate risk exposure across the portfolio? Are we looking at risks individually or as a portfolio? | CRO / Board | Build an aggregate risk exposure model that accounts for correlations and concentrations | COSO Principle 14 |
Phase 4: Risk Treatment — Deciding What to Do
Risk treatment is where questions translate into budget, action, and accountability. The four treatment options — avoid, reduce, transfer, and accept — are well-known, but the questions that determine which option is selected, how much to invest, and who owns the outcome are frequently skipped.
These questions align with ISO 31000 Clause 6.5 and COSO’s Risk Response principle (Principle 13).
| # | Question | Intended Audience | Action if Answer Is Unclear |
| 23 | Are our current controls adequate and tested? When was each key control last validated? | Internal Audit / Risk Owner | Schedule control effectiveness testing for all high-risk controls within 60 days |
| 24 | Does our hedging or insurance strategy still make sense given current market conditions? | CFO / Risk Manager | Commission a total-cost-of-risk review covering insurance, retention, and alternative risk transfer |
| 25 | Are we managing risk fast enough? Can we act within the risk’s velocity window? | Risk Owner / Operations | Map response timelines against risk velocity; close gaps with pre-authorized response protocols |
| 26 | What is the cost-benefit of each mitigation option? Are we spending proportionally to the risk? | CFO / CRO | Produce a cost-benefit analysis for the top-10 risk treatments; present to risk committee for approval |
| 27 | Do risk owners have the authority and budget to implement their assigned treatments? | CEO / Risk Committee | Confirm delegation of authority for each risk treatment; eliminate unfunded mandates |
| 28 | Are we relying too heavily on one treatment option (e.g., insurance) while ignoring loss prevention? | CRO / Risk Manager | Audit the treatment mix across the risk register; ensure layered defense-in-depth approach |
| 29 | Have we identified secondary risks created by our treatment actions? | Risk Analyst | Conduct a secondary risk assessment for each major treatment plan before implementation |
Phase 5: Monitoring, Reporting, and Board-Level Questions
The final lifecycle phases — monitoring, review, communication, and reporting — determine whether risk management stays alive between assessment cycles.
Board members and senior leaders should use these questions to test whether the risk management integration is producing actionable intelligence or decorative dashboards. These questions connect to KRI dashboard best practices and risk quantification for board reporting.
| # | Question | Intended Audience | Action if Answer Is Unclear |
| 30 | Which key risk indicators (KRIs) are we tracking, and have any breached their thresholds this quarter? | CRO / Risk Committee | Define or refresh KRIs for each top-10 risk with green/amber/red thresholds and escalation triggers |
| 31 | Are risk reports reaching the right people at the right time? Who sees risk data and how often? | CRO / Board Secretary | Map the risk reporting distribution and cadence; close any gaps in stakeholder coverage |
| 32 | When was the last time we tested our business continuity or disaster recovery plan? | BCP Lead / Risk Committee | Schedule a tabletop exercise within 90 days; document lessons learned and update plans |
| 33 | What risks materialized in the last 12 months that we did not have on the register? | CRO / Internal Audit | Conduct a near-miss and incident review; feed findings back into the risk identification process |
| 34 | How do our risk trends compare to this time last year? Are we getting better or worse? | Board / CRO | Produce a year-over-year risk trend dashboard showing movement in top risks and control effectiveness |
| 35 | Are we communicating risk to stakeholders in language they understand and can act on? | CRO / Communications | Tailor risk reports by audience: technical detail for risk owners, executive summary for the board |
| 36 | Does the board allocate sufficient meeting time to risk oversight, or is it a five-minute agenda item? | Board Chair | Dedicate a minimum 20% of board meeting time to risk; schedule deep-dive sessions on top-3 risks |
Risk Questions by Role: A Quick-Reference Summary
Different roles need different questions. A board director asking about individual control testing wastes the committee’s time.
A risk analyst who never asks about strategic alignment misses the point of the assessment. The table below maps the right questions to the right audience, connecting to the Three Lines Model for clear accountability.
| Role | Top 3 Questions to Ask | Three Lines Alignment | Meeting Context |
| Board Director | Are we taking the right risks to achieve our strategy? What risks exceed our appetite? What changed since last quarter? | Oversight body (above the three lines) | Quarterly board risk committee; annual strategy offsite |
| CEO / C-Suite | Which risks threaten our strategic objectives? Do risk owners have authority and budget? Is our risk culture healthy? | First line (sets risk direction) | Monthly executive risk review; strategic planning sessions |
| Chief Risk Officer | Are emerging risks being captured? Is scoring consistent and data-driven? Are KRIs triggering timely actions? | Second line (risk oversight) | Weekly risk team meetings; quarterly board reporting |
| Internal Auditor | Are key controls operating effectively? Are risk owners addressing findings on time? Where are the assurance gaps? | Third line (independent assurance) | Audit committee sessions; continuous auditing cycles |
| Risk Owner / Manager | What has changed in my risk area? Are my controls tested and documented? Do I need additional resources? | First line (owns and manages risk) | Daily operations; monthly risk reviews with CRO |
| Project Manager | What risks could delay this project? Have we scored them and assigned owners? Is there a contingency budget? | First line (project-level) | Project kickoff; weekly project risk reviews; stage gates |
Implementation Roadmap: Building a Risk Question Culture
Asking good risk questions is a capability, not a one-time exercise. The roadmap below outlines a phased approach to embedding structured risk questioning into your organization’s risk management lifecycle and governance processes.
| Phase | Actions | Deliverables | Success Metrics |
| Days 1–30: Foundation | Select 15–20 core risk questions from this guide; customize for your industry and risk profile; assign each question to a specific role and meeting cadence; train risk committee members on how to use the question bank | Customized risk question bank (by phase and role); 1-hour training session for risk committee; question integration into board agenda template | Risk committee members can articulate 5+ structured risk questions without prompting; board agenda includes dedicated risk Q&A section |
| Days 31–60: Pilot | Deploy the question bank in 2–3 risk committee meetings; track which questions generate new information vs. recycled answers; identify questions that consistently expose blind spots; gather feedback from risk owners on question quality | Meeting notes documenting question outcomes; blind spot register (new risks or insights surfaced); feedback summary from risk owners | At least 3 new risk insights or register updates generated per meeting; 80%+ of participants rate questions as useful |
| Days 61–90: Embed | Integrate top-performing questions into standard meeting templates across all levels; build a KRI dashboard that answers the monitoring questions automatically; schedule quarterly question bank review and refresh; benchmark question-driven risk outcomes against prior year | Updated board and management meeting templates; KRI dashboard with automated answers to monitoring questions; quarterly question refresh calendar | 50% reduction in risk committee meetings that end without action items; year-over-year improvement in early risk detection rate |
Pitfalls and How to Avoid Them
| Pitfall | Root Cause | Remedy |
| Asking too many questions at once | Question fatigue; meetings become interrogations instead of discussions | Limit each meeting to 5–7 prioritized questions; rotate question focus by lifecycle phase each quarter |
| Asking the right questions to the wrong audience | No role-based question mapping; board members asked operational details | Use the role-based question table above; match question complexity to audience authority level |
| Questions without follow-through | No one tracks whether answers lead to register updates or treatment changes | Assign an owner and deadline to every question; track outcomes in a question-action log |
| Confusing risk questions with audit findings | Internal audit asks compliance questions in a risk committee setting | Separate risk committee questions (forward-looking) from audit questions (backward-looking assurance) |
| Recycling the same questions every meeting | No question refresh cadence; stale questions produce stale answers | Review and update the question bank quarterly; add questions triggered by new incidents or emerging risks |
| Avoiding uncomfortable questions | Risk culture penalizes bad news; CRO lacks board-level independence | Ensure CRO has direct board access; normalize the practice of asking “What could go wrong?” as a sign of strength |
| No connection between questions and risk appetite | Questions asked in a vacuum without referencing defined tolerances | Anchor every evaluation question to a specific risk appetite threshold or KRI trigger level |
Frequently Asked Questions on Good Questions to Ask About Risk
What are good questions to ask about risk in a board meeting?
Good questions to ask about risk in a US board meeting fall into three families. First, exposure: what is our largest single risk this quarter and how confident are we in the number?
Second, controls: which top-five controls would we miss most if they failed tomorrow? Third, accountability: who owns each top risk by name? The IIA Three Lines Model gives the structure.
What good questions to ask about risk should a CRO bring to a quarterly risk review?
A US CRO should bring four good questions to ask about risk into every quarterly review. What changed in our top-ten risks since last quarter?
Where did residual scores move and why? Which key risk indicators broke threshold? Which board decision in the last quarter changed because of a risk number? The fourth question is the one that separates a working program from a quarterly slide deck.
How do good questions to ask about risk change at each ISO 31000 phase?
Good questions to ask about risk shift purpose with each ISO 31000 phase. Context-setting questions test scope and tolerance. Identification questions surface what is missing from the register.
Analysis questions challenge the data behind every score. Treatment questions force a choice between accept, transfer, mitigate, or avoid. Monitoring questions ask whether the controls actually fired during the quarter under review.
What good questions to ask about risk help identify emerging threats?
To surface emerging threats, ask three good questions to ask about risk that most registers miss. What risk would embarrass us most on a national news outlet next year? Which vendor failure would cascade through our top-three revenue streams?
Which AI use case have we deployed without a control owner? The approaches and tools for risk identification guide pairs these prompts with structured techniques.
How many good questions to ask about risk should a risk committee cover per meeting?
Six to ten good questions to ask about risk per meeting is the working US benchmark. Fewer than six and the committee is rubber-stamping a slide pack. More than ten and the discussion turns into a recital.
Our recommendation is two context questions, three deep-dive risk questions on the largest exposure, two control-effectiveness questions, and one decision question that closes the meeting with a named action.
What good questions to ask about risk separate effective programs from compliance theater?
Two good questions to ask about risk reliably separate effective US programs from compliance theater. First, name one decision in the last quarter that changed because of a risk measurement number.
Second, name one risk where the residual score moved this quarter and explain the control change behind it. Programs that cannot answer either are producing reports for the audit committee, not running risk management.
Where do most teams go wrong with good questions to ask about risk?
Three failure patterns dominate.
Teams ask questions only at the analysis phase and skip context-setting. They direct every question at the second line of defense, leaving business owners untested. They accept narrative answers when a number is available.
The fix is to rotate questions across all five lifecycle steps and require a metric in every answer where one exists.
How can a small US firm start using good questions to ask about risk effectively?
A small US firm can start with a one-page sheet of ten good questions to ask about risk and a 30-minute monthly meeting.
Pick two context questions, four identification questions, two scoring questions, and two treatment questions.
Anchor the sheet to your risk appetite statement and to a basic register. The full COSO and ISO machinery layers on as the program matures.
Looking Ahead: How Risk Questions Will Evolve (2026–2028)
AI-generated risk questions. Large language models trained on incident databases, regulatory change feeds, and internal risk data will soon generate tailored risk questions automatically — surfacing questions that human facilitators might not consider.
Early adopters are already using AI to scan board packs and flag gaps in risk coverage before meetings. The AI risk assessment framework will itself need to be questioned: What biases are embedded in the AI’s training data? Who validates the machine-generated questions?
Real-time risk questioning through KRI automation. The future of risk monitoring is not a quarterly meeting but a continuous question-and-answer loop driven by automated KRI dashboards.
When a KRI breaches a threshold, the system automatically generates the relevant questions: What caused the breach? Has the control failed? Does the risk owner need additional resources? Is escalation required?
This shifts risk questioning from a meeting-based activity to a signal-based workflow.
Regulatory expectations for documented risk challenge. Financial regulators in the US and Europe are increasingly expecting boards to demonstrate not just that risks were reported but that they were challenged.
The OCC’s heightened standards guidance and the UK’s Senior Managers and Certification Regime both require evidence of informed challenge.
Organizations that document their risk questions, the answers received, and the actions taken will be better positioned for regulatory examinations. Connecting this to operational resilience frameworks strengthens the case further.
Cross-functional risk questioning. Siloed risk conversations — where the cyber team asks cyber questions, the financial team asks financial questions, and the operational team asks operational questions — miss the interconnections that cause the biggest losses.
The trend toward integrated risk management will drive cross-functional risk questioning forums where a single risk event is examined through multiple lenses: financial impact, operational disruption, reputational consequence, regulatory exposure, and business continuity implications.
Ready to upgrade your organization’s risk questioning capability? Visit riskpublishing.com/services for ERM frameworks, risk assessment templates, risk management training, and consulting engagements. Questions? Get in touch — we respond within 24 hours.
References
1. ISO 31000:2018 — Risk Management Guidelines
2. COSO Enterprise Risk Management — Integrating with Strategy and Performance (2017)
3. NC State ERM Initiative — 2024 State of Risk Oversight Report
4. Allied Market Research — Risk Management Market Forecast to 2032
5. IIA — The Three Lines Model (2020)
6. Wolters Kluwer — Risk Management Principles: ISO 31000 and COSO ERM
7. NIST Risk Management Framework (SP 800-37 Rev 2)
8. TechTarget — ISO 31000 vs COSO: Comparing Risk Management Standards
9. BDO USA — ERM Risk Assessment Questions for Boards
10. Norman Marks — Are You Managing Risk Fast Enough?
11. LexisNexis — Tone at the Top: Risk Culture Assessment Questions
12. ASIS International — Enterprise Security Risk Management Standard
13. Deloitte — Global Risk Management Survey (2024)
14. PwC — Global Risk Survey: Navigating Uncertainty with Confidence
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.